b'OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE INTER-\nAMERICAN FOUNDATION\xe2\x80\x99S\nCOMPLIANCE WITH THE\nFEDERAL INFORMATION\nSECURITY MANAGEMENT ACT\nOF 2002 FOR FISCAL YEAR 2014\nAUDIT REPORT NO. A-IAF-14-009-P\nSEPTEMBER 19, 2014\n\n\n\nWASHINGTON, D.C.\n\x0cThis is a summary of our report on the \xe2\x80\x9cAudit of the Inter-American Foundation\xe2\x80\x99s Compliance\nWith the Federal Information Security Management Act of 2002 for Fiscal Year 2014\xe2\x80\x9d (No. A-\nIAF-14-009). The Federal Information Security Management Act of 2002 (FISMA) requires\nagencies to develop, document, and implement an agency-wide information security program to\nprotect their information and information systems, including those provided or managed by\nanother agency, contractor, or other source. The act also requires agencies to have an annual\nassessment of their information systems.\n\nThe Office of Inspector General (OIG) contracted with the independent certified public\naccounting firm of CliftonLarsonAllen LLP to conduct the audit. Clifton was required to conduct\nthe audit in accordance with U.S. Government auditing standards. The objective was to\ndetermine whether the Inter-American Foundation (IAF) implemented selected minimum\nsecurity controls for selected information systems in support of FISMA.\n\nTo answer the audit objective, Clifton assessed whether IAF implemented selected\nmanagement, technical, and operational controls outlined in National Institute of Standards and\nTechnology Special Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations, Revision 3. Clifton performed audit fieldwork at IAF\xe2\x80\x99s\nheadquarters in Washington, D.C., from March 25 through July 14, 2014.\n\nThe audit concluded that IAF implemented 77 of 85 tested security controls in support of\nFISMA. For example, IAF did the following.\n\n\xef\x82\xb7   Established adequate information technology security policies and procedures related to\n    access controls, awareness and training, audit and accountability, security assessment and\n    authorization, and personnel security.\n\n\xef\x82\xb7   Implemented effective account management procedures.\n\n\xef\x82\xb7   Maintained adequate control over physical access to facilities and the computer room.\n\n\xef\x82\xb7   Established adequate processing procedures for bringing on new employees and for\n    employees leaving the organization.\n\nBased on Clifton\xe2\x80\x99s report, OIG made five recommendations to help IAF strengthen its\ninformation security program. OIG acknowledged IAF\xe2\x80\x99s management decisions on each of those\nrecommendations.\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel: 202-712-1150\n            Fax: 202-216-3047\n           http://oig.usaid.gov\n\x0c'